Impact
The insecure tempfile.mktemp() is used when Horovod is run in an LSF job with jsrun. In that situation, a jsrun rank file is created with mktemp, which could be hijacked by another process to read or manipulate the content.
This issue does not impact the use of MPI, Gloo, Spark or Ray.
Patches
The problem has been fixed in b96ecae4.
Workarounds
The rank file is not created when binding_args are provided in the Settings instance.
References
Please see https://github.com/horovod/horovod/pull/3358 for details.
For more information
If you have any questions or comments about this advisory:
- Open an issue in https://github.com/horovod/horovod
References
- https://github.com/horovod/horovod/security/advisories/GHSA-47wv-vhj2-g66m
- https://nvd.nist.gov/vuln/detail/CVE-2022-0315
- https://github.com/horovod/horovod/pull/3358
- https://github.com/horovod/horovod/commit/b96ecae4dc69fc0a83c7c2d3f1dde600c20a1b41
- https://huntr.dev/bounties/7e50397b-dd63-4bb5-b56d-704094a7da45
- https://github.com/pypa/advisory-database/tree/main/vulns/horovod/PYSEC-2022-175.yaml
- https://github.com/advisories/GHSA-47wv-vhj2-g66m